Mass-mailing worms are some of the most prevalent and troublesome threats to Internet users today. Worms like Netsky, Beagle, MyDoom, and most recently, Sober, have caused millions of dollars in damage and cleanup costs. To make matters worse, the increasing availability and quality of runtime packers and other obfuscation tools are making it easier for worm writers to automate the creation of new variants of a worm, making analysis more complicated and time consuming.
Generated signatures can be utilized in order to detect and block malicious code. However, existing signature generation methodologies do not account for oligomorphic or polymorphic malicious executable images, which can change their external form each time they replicate. The existing signature generation methods do not detect the fact that these different forms are instantiations of the same worm. Therefore, such methods create a different signature for each new replica of the worm. This can overwhelm any agent (such as a centralized correlation server) processing the detection and management of malicious code.
What is needed are methods, systems and computer readable media for generating robust signatures that can commonly identify a polymorphic worm in its various forms.